Re: Hidden master DNS

From Mike Orr

Answered By Dan Wilder

How do you do the hidden master trick for DNS? In my case, my computer
is the real master and my friend runs two secondaries. However, the
registrar lists only his servers. Is that all that's needed to make
his secondary appear to be the master from the public's
perspective, or do I have to do something else too?

[Dan]
First bear in mind that "master" and "slave", a relationship
between servers, has nothing whatever to do with "primary"
and "secondary", an arbitrary ordering of servers on a list
your registrar maintains for you. Many sysadmins confuse the
two, partly because similar terms are sometimes used, and
much grief results.

1) List any servers you think will serve your domain with your
registrar, in any order you please.

2) Set up any relationship you want between your DNS servers.
The master/slave relationship is established (when using BIND)
in the named.conf stanzas. For the master:

zone "mydomain.com" {
type master;
file "mydomain.com";
};

and put the "mydomain.com" zone file where the server expects
to find it.

You don't have to list the actual master server at all. It is
sufficient that the listed servers know the IP address of the
actual master. The registrar doesn't need this information.
Then it's a "hidden master".

Somewhat related to this is so-called "split DNS". Use this when
you have a firewalled network containing hosts known internally
as a part of your domain, but which are not visible outside.

Set up a master DNS server inside and point all your hosts at it.
In the "options" section:

which turns off notification to anybody, allows nobody to
get a copy of locally maintained zone files, and specifies
a few nameservers, typically those of your ISP, as the
places to query for domains the server doesn't consider
itself definitive for.

Then, for your own domain, a stanza that says:

zone "mydomain.com." IN {
type master;
file "mydomain.com";
};

and the "mydomain.com" zone file contains records for
internal hosts, plus all external hosts listed in the
mydomain.com zone file in the outside nameserver.

All my domains are "master" in my /etc/bind/bind.conf. My friend has
who-knows-what settings to download my information to his secondary
servers. I'm not sure whether the records appear as "master" or "slave"
on his server. I want his first secondary server (the one listed first
at the registrar) to appear authoritative to the public, so that the
public won't be querying my server. Does he have to do anything else?
I asked him, but he said he thought hidden master was something I set at
my end.

[Dan]
Nope.

"Hidden" is set at the registrar. That is, you don't register your
server. That makes it hidden.

Your server has to consider itself "master" but that's already set up.

If you want your hidden master to actually control anything, your
friend has to set the stanza for your domain in his named.conf file
to "slave" with the ip of your machine in the "masters" keyword
in the stanza. That's what makes your server a "master".

Or else he has to set his stanza to "master", and you have to
send him a copy of your zone file every time you change it, and he
has to put it in place. But then your machine isn't a "hidden master".

If the transfer happens on a timely basis, nobody outside cares how the
zone file gets to his machine. If he'll cooperate it saves work
on your part and on his.

He's already set up to automatically pull the data from my server; that
was set up years ago. I guess that means he's a "slave". But I thought
"secondary" was the term for that, and that his record would tell the
public to go to my server for the authoritative source, but I guess
that's not the case.

[Dan]
No. That's the confusion due to similar terms being used in the
same context for different things, that I've been fighting off and
on about with slightly underqualified sysadmins who don't realize
the extent of their underqualification, for years.

"Primary" and "Secondary" should be used to denote a matter of
public record, the nameservers listed with a registrar for
a domain. They should never be used to denote the private
relationship between servers, of which the registrar knows
nothing.

"Master" and "Slave" should be used to denote a privately
arranged relationship between servers configured to furnish
DNS information about a particular domain. This has nothing
to do with the matter of public record mentioned previously.